|
|
|
Features
< Back
Sarbanes Oxley : Technology : Risk Management
The Evolution of Operational Risk Management
By
Kristin Gallina Lovejoy
|
|
Kristin Gallina Lovejoy
CTO
Consul Risk Management
|
Humans have been managing risk ever since they were capable of rational thought -- weighing the risks of hunting large animals against the reward of a wooly mammoth steak; sacrificing cats and virgins to the gods in expectation of rewards in the afterlife. And we still do it today ? worrying over the effect of that third Twinkie on our cholesterol level versus the sugar high we may gladly experience.
Of course today, the risk management process is logical, explicit and systematic, allowing us to rely on sophisticated mathematics and methodologies to determine the likelihood, impact and exposure to risks. After all, when weighing that Twinkie, we need only look at the wrapper to quantify how devastating the effects may be.
| ?The most important types of operational risk involve breakdowns in internal controls and corporate governance. Such breakdowns can lead to financial losses through error, fraud, or failure to perform in a timely manner or cause the interests of the bank to be compromised in some other way, for example, by its dealers, lending officers or other staff exceeding their authority or conducting business in an unethical or risky manner. Other aspects of operational risk include major failure of information technology systems or events such as major fires or other disasters.? (SOURCE) |
In the business world, risk management has evolved into several categories. These categories are defined through different causes and/or effects. In the banking industry, for example, market risk is defined as the systemic risk inherent in the capital market, (i.e. it is the risk that is not diversifiable through trading in financial contracts). Credit risk is defined as loss exposures due to counterparties? default on contracts. With respect to operational risk, there does not yet exist an agreed-upon definition. In fact, the first definitions were mostly based on the ?everything but? principle, such as ?all risks but market and credit risk.? The most widely accepted definition of operational risk proposed by the Basel Committee on Banking Supervision (BCBS) in ?The New Basel Capital Accord? [2001] is:
?the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events"
Interestingly though, operational risk management (ORM), despite the lack of definition, is being heralded as the next big thing and the reason why all Chief Security Officers may want to pursue an MBA.
Today?s vision of ORM is to optimize the performance of a business by understanding the effects of adverse operational losses on our business activities and assets so that we can insure against them by preparing for that "rainy day."
Traditionally, operational risk can be associated with the following:
- People: losses associated with intentional violation of internal policies by current or past employees.
- Process: losses that have been incurred due to a deficiency in an existing procedure, or the absence of a procedure. Losses can result from human error or unintentional failure to follow an existing procedure.
- Systems: losses that are caused by unintentional breakdowns in existing systems or technology.
- External: losses occurring as a result of natural or man-made forces, or the direct result of a third party's action.
| "Nicholas Leeson was a rogue trader who reduced the value of the venerable Baring Brothers & Co (BB&Co) Bank from roughly $500 million dollars to $1.60. Leeson traded futures contracts on the Nikkei 225 and on Japanese Government Bonds without authorization while management at Barings, the Singapore International Monetary Exchange, the Osaka Stock Exchange, and other governing bodies in Britain and Singapore disregarded or failed to recognize the potential for financial disaster. The failure of Barings Bank provides a lesson in the risks and responsibilities involved in organizing and monitoring derivatives trading."
(SOURCE) |
What is the Status of Operational Risk Management in the World Today?
The answer to this question varies according to geographic region. In Europe, for example, there are often more formal, structured, enterprise-wide operational risk programs in the works. Why? Regulators there appear to have been more vocal about operational risk for the past decade, most likely in the wake of events like the Barings rogue trading incident and in reaction to the Basel II Capital Accord.
In the U.S., on the other hand, risk management efforts have been focused on tactical initiatives and activities: risk assessment and monitoring, risk mitigation and remediation, measurement, and monitoring within a business line, or around a specific operation. Often, efforts within this area are identified as security management efforts, which are often driven by the need to comply with minimum-security standards.
Are we seeing a move toward ?operational risk management? in the U.S.?
Yes. Absolutely.
In the U.S., the number one factor accelerating development of ORM as a field is the Sarbanes-Oxley Act of 2002 (SOX). The U.S. Government created SOX to provide better information to investors. The word ?information? is critical as it focuses on the responsibility of corporate management and the evaluation of that management performance through an internal control framework.
| A Snapshot of the Sarbanes-Oxley Act of 2002 |
| Why | Fight corporate corruption |
| Where | Publicly traded companies and their auditors, and attorneys |
| When | A moving target. . . |
| IT Impact | More stringent reporting requirements, mandating internal controls on financial reporting systems |
| Penalties | Corporate officer who knowingly certifies a false financial report can be fined up to $1 million or face up to 10 years in prison, or both. If done willfully, up to $5 million in fines or 20 years in prison, or both. |
| Public Law | Public Law 107-204 (2002)
Regulations:
Implementing Sections 404, 406, 407 | 17 CFR Parts 210, 228, 229, 240, 249, 270, 274 |
| |
|
Wait you say, I thought that SOX was about compliance with minimum-security standards ? not business performance (ORM). And to you I say, ?think again.? Compliance with SOX means establishing a framework for assessing the effectiveness of internal controls. Here is where most organizations begin to stray into the ?taxonomy gap.? Unfortunately, many security professionals think ?patch? or ?firewall? or ?PKI? when they hear the word ?control?. They immediately interpret SOX as requiring administrative, technical, or physical controls to be established (often pursuant to best practices) in order to meet Section 404 strictures.
WRONG.
While Internal Control was not defined in the Act, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) definition has been accepted by the U.S. government and its agencies, incorporated in U.S. auditing standards (AU 319), and is a generally accepted integrated framework for control infrastructure. In fact, under regulations for Section 404, the SEC will use AU319 as the reference. Here?s the key: COSO defines the Internal Control as a process, affected by an entity?s board of directors, management and other personnel, and designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
- Effectiveness and efficiency of operations
- Reliability of financial reporting
- Compliance with applicable laws and regulations
What?s a process?
Actor (who) + Act (what) + Asset (on what) = Process
|
Within the context of the integrated control framework, COSO identifies five components of control that need to be in place and integrated to ensure the achievement of each of the objectives. When you boil it down, COSO requires that organizations document the key processes which could affect financial reporting (and the shareholder?s bottom line), evaluate each of the elements of the process to identify whether they are adequately controlled, remediate any high risk discovered, monitor those processes, and create an atmosphere and infrastructure where ?material deficiencies? in the process can be reported in real-time up the chain.
So, in summary, to meet SOX requirements, an enterprise must implement a framework for identifying and managing risk to financial reporting. The purpose of this exercise is to protect shareholder value.
Is it working? The answer seems to be yes. In fact, recent evidence points to SOX as actually creating value in the minds and hearts of the shareholders. According to Ellen Silverman of the Risk Center, ?The reality however, is since the act (SOA) was passed two years ago, there have been 164 IPOs in 2004 through October, raising a total of $31 billion, compared with 84 deals totaling close to $15.6 billion for 2003. Thus, SOX seems to have engendered investor and market confidence, not wariness.? (SOURCE)
If you?re not sold yet, it may be wise to turn instead to the tealeaves. Even more compelling than the inferred ORM verbiage in the Integrated Control Framework is the ?Enterprise Risk Management? (ERM) framework published by COSO in September of 2004. Keeping in mind rumors that the ERM framework represents the future of SOX, it would behoove you to study the messages:
- In the ERM framework, reporting covers all reports developed by the entity, disseminated both internally and externally, and the scope expands to include financial information for "financial reporting," AND non-financial information.
- Also, unlike internal controls, ERM has "strategic" objectives, which means that the framework?s objectives flow from an entity's mission or vision, and the operations, reporting and compliance objectives should be aligned with them.
In other words, to meet SOX (the sequel), an enterprise must implement a framework for identifying and managing risk BEYOND financial reporting. The purpose of this exercise is to not simply protect shareholder value but to ?maximize business performance? throughout the business.
Where is the Industry Now?
The majority of enterprises today are in one of four phases when it comes to ORM: ignorance, realization, implementation, and ORM nirvana.
Phase 1: Ignorance
In this phase, representing a large but rapidly shrinking pool of companies, the organization has a siloed approach to managing risk and security. In fact, most efforts are focused on security instead of risk. A Phase 1 organization is characteristic of siloing security to the IT Department, the Physical Security Group, and/or the Human Resources Department, which sometimes controls security policies associated with people. To test whether your organization is in Phase 1, I would suggest the following: find a security administrator and ask, ?I am trying to come up with a definition of ?internal control, can you give me an example?? If the answer is anything other than ?process,? well then?
Phase 2: Realization
While by no means the rule, enterprises within Phase 2 understand that operational risk is a major issue or will be. These companies have selected a framework for ORM and have started planning operational risk programs. For instance, many have one-off initiatives underway, implementing operational risk activities around financial reporting initiatives as driven by Section 404 SOX requirements. A key trademark of a Phase 2 organization includes newly formed committees with representatives from Audit, Finance, IT, Physical Security, HR and Information Security dedicated to managing risk to business activities.
Phase 3: Implementation
A growing number of enterprises (particularly in the financial services, healthcare, government, and energy verticals) have set up more formal ORM frameworks and have designated resources for operational risk (i.e. creation of the role of Chief Risk Officer). Enterprises within this category have several risk management initiatives underway and have started to identify and measure basic operational risk indicators. They have also begun to invest in risk management tools to begin to analyze, mitigate, and ultimately, manage issues and incidents before they become losses.
Phase 4: ORM Nirvana
A handful of enterprises have entered Phase 4. This phase uses a holistic, enterprise-wide approach where anyone can input and access data throughout the organization, from senior management out to the business line owners and operators, and conduct various types of analyses to maximize the efficiency of the business and reduce the cost of operational risk and loss.
Conclusion
Regardless of which ORM phase organizations find themselves in, SOX and other corporate governance regulations are here to stay. Risk is inherent in all organizations. To meet these corporate governance regulations an enterprise must implement a framework for identifying and managing risk beyond financial reporting. Not only can they mitigate this risk by implementing ORM, but they can also maximize business performance throughout the organization. The ORM vision is to create an environment where all personnel manage operational risk, and all strategic objectives are completed at the least possible cost to the organization. ORM raises the bar?a compliance culture is no longer acceptable.
|
|
|
|
